There have been too many sites compromising personal data. There is no excuse. It is not hard to stop most, if not all hackers. All you have to do is care about your customers. This module describes how you can easily and effectively stop many hack attacks and protect your customer data on your servers.
For more information, tools, and resources, visit http://free2secure.com/.
If you are interested in keeping up with the latest books, articles, and tools from me at Free2Secure send me an email steve @ free2secure.com with the subject “Subscribe”.
If you have any security questions, issues, or shoot me a note to steve @ free2secure.com with the subject “Help”.
1. Security eBooks
Protecting Passwords &
Securing Servers
Steven Davis
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
2. Security eBooks
Standard Server
Architecture
• 3-Tier / N-Tier
• Lots of Apps and Services on a box
• Split up for performance, if at all
• … a “mini-cloud”
• Why? Servers Expensive… in the old days
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
3. Security eBooks
Bootstrap
Attack!
• Attackers use weakness in one part of a system to attack
another
– Privilege Escalation … dangerous if more privileges can get you
somewhere
– SQL Injection … only dangerous if there is something valuable in
the same database or accessible via the same account
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
4. Security eBooks
The Server Architecture Problem
• Lots of tools and lots of developers
– Many of them not on your team
– Very few security focused
• Too many things to go wrong!
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
5. Security eBooks
Solution – More
Servers (or Virtual
Servers)
• Break up online service infrastructure
to multiple servers by function
• Reduce number that are internet
facing
• Reduce and simplify security
interfaces
• Add proxies to isolate data and
applications
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
6. Security eBooks
One Data Store per Server App
Divide for Security
Game Engine
Player Assets
Player Account
Community
Player Access Info
• Separate Database & Access Account
• Separate Data Store
BETTER
• Separate Virtual Server w/own Database App
• Separate Actual Server
Add “Connector” Datastores (Login Status, Player Stats, etc.) rather
than links to critical databases
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
7. Security eBooks
Combine with Proxy Security
Some online games dangerously include a SQL client and talk directly to the game server
Rules Validation
Data Validation
Validation
Message
Incoming
Message Database
• Protecting Database from SQL injection / direct queries
• Allows Rules Validation on Server or reallocation to other
players
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
8. Security eBooks
Make Password Service a “Dumb Appliance”
Secure User Name / Account Name
Password
Session
Server Account Name / Password Identifier
Server
Password Identifier / Password Seed
Login Server
Password Identifier / Password Transform
• Separate out Password verification from Login Service/Server
• Have Password Service work at a slow pace
• Use VERY SLOW Cryptography
– Select algorithms or combinations of algorithms to take a specific
amount of time… traditional cryptography is designed to run fast to
support communications…. This is not the problem we face with
passwords!
• Consider Split Architectures
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
9. Security eBooks
Protect Email and
Online Service
Identity Info… by
Login Service taking them
(Encrypted) Active offline
Info Updates Service
• Users don’t need regular Back Office
access to their entire
identity profile… so take Personal Info
what is not needed
regularly offline Email
• Only have temporary
store for user info while it
is being entered or Payment Info
changed
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
10. Security eBooks
Six Forms of
Personal ID
• Separate them and use
them all
– Login Name Using emails for user names or
– Internal Account Number user names for handles just
– Handle (Community name) makes attacking easier
– Email
– Personal Contact
Information
– Payment Information
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
11. Security eBooks
What next?
• Don’t give up!
• More security presentations at:
http://free2secure.com/
• Check out my book “Protecting Games”
– Additional information at http://playnoevil.com/
• You can “win” the security game
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
12. Security eBooks
About Me
• Steven Davis
– 25+ Years of Security Expertise
– I have worked on everything from
online games and satellite TV to
Nuclear Command and Control and
military communications
• http://www.linkedin.com/in/playnoevil
– Author, “Protecting Games”
• Why Free2Secure?
– Security is too expensive and isn’t working. There has to be a better way.
I’m exploring these issues for IT security, ebooks, games, and whatever
else strikes my fancy at http://free2secure.com/
– Join me there, ask questions, challenge assumptions, let’s make things
better
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416